Don't Know What It Is...it Might Be A Vundo Virus..
Hi again people of Bd!
So heres the story , my friend told me about some weird stuff going on with his computer , but he doesn't have a BD Anti-virus program(It's something else). I told him about the magnificent help i got from you guys last time my computer was in trouble. So he thought i might ask about it here , since he's too lazy to do it himself. :
His computer is really slow , other than usual(He has about 2 of ram and 4 ghz processor including Windows Vista.)
His Internet Explorer pops up some weird pages , and then opens up new tabs by itself , and those tabs don't show anything. (Blank pages)
His explorer.exe crashes occasionally (Desktop disappears leaving only the background to show...)
And his internet is pretty much slower than usual too (100mb/s internet connection speed)
His Hijackthis log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:28:31, on 17.06.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\RTHDCPL.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\FlashGet\flashget.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by ML Arvutid
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Flashget] "C:\Program Files\FlashGet\FlashGet.exe" /min
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [skyTel] Skytel.exe
O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Kalmu\AppData\Local\Temp\mlJYrqNf.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Kalmu\AppData\Local\Temp\opnOGwTM.dll,c
O4 - HKCU\..\Run: [c88a927f] rundll32.exe "C:\Users\Kalmu\AppData\Local\Temp\pbjgmhli.dll",b
O4 - HKCU\..\Run: [bMcbb9a1e3] Rundll32.exe "C:\Users\Kalmu\AppData\Local\Temp\vacgoopm.dll",s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: TrioBet Poker - {019BB34E-96AC-4aa7-A5DE-3CC7442D4E38} - C:\Microgaming\Poker\TriobetMPP\MPPoker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
--
End of file - 6846 bytes
________________________________________________________________________________
__________________--
He also added that he downloaded a crack and after that this all started.
Thanks for your help !
Regards ,
Erik and his friend c(: .
Comments
-
"Good" job with the crack !
We should not help you for this !
" />
Pack these files in a zip or rar archive protected with the password infected and attach it here !
C:\Users\Kalmu\AppData\Local\Temp\mlJYrqNf.dll
C:\Users\Kalmu\AppData\Local\Temp\opnOGwTM.dll
C:\Users\Kalmu\AppData\Local\Temp\pbjgmhli.dll
C:\Users\Kalmu\AppData\Local\Temp\vacgoopm.dll
After this, download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.
It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.
At the end ComboFix will generate a log file. Save it and post it here.0 -
Ok , he did all that you requested before (AND Is VERY greatful for your help even though you said that you shouldn't help us at all...)
And the result is it's all OK at the moment.. But i'll inform as soon as i can if there are any changes..
Here is the log of combofix:
ComboFix 08-06-16.5 - Kalmu 2008-06-17 23:07:15.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1257.1.1033.18.1106 [GMT 3:00]
Running from: C:\Downloads\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.
2008-06-17 15:25 . 2008-06-17 15:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-17 15:08 . 2008-06-17 15:08 <DIR> d-------- C:\VundoFix Backups
2008-06-15 13:29 . 2008-06-16 23:37 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-15 13:25 . 2008-06-16 12:16 <DIR> d-------- C:\Windows\System32\drivers\Avg
2008-06-15 13:25 . 2008-06-15 13:25 96,520 --a------ C:\Windows\System32\drivers\avgldx86.sys
2008-06-15 13:25 . 2008-06-15 13:25 67,080 --a------ C:\Windows\System32\drivers\avgwfpx.sys
2008-06-15 13:25 . 2008-06-15 13:25 10,520 --a------ C:\Windows\System32\avgrsstx.dll
2008-06-15 13:24 . 2008-06-15 13:24 <DIR> d-------- C:\ProgramData\avg8
2008-06-15 13:24 . 2008-06-15 13:24 <DIR> d-------- C:\Program Files\AVG
2008-06-15 12:35 . 2008-06-15 12:35 <DIR> d-------- C:\Users\Kalmu\AppData\Roaming\Lavasoft
2008-06-15 12:35 . 2008-06-15 12:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-11 20:05 . 2008-04-25 05:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-11 20:05 . 2008-04-26 11:08 1,314,816 --a------ C:\Windows\System32\quartz.dll
2008-06-11 20:05 . 2008-04-25 07:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-11 20:05 . 2008-05-10 04:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-09 23:53 . 2008-06-09 23:53 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-06-08 13:16 . 2008-06-08 13:16 <DIR> d-------- C:\PerfLogs
2008-06-06 12:43 . 2008-01-19 10:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-06-06 12:42 . 2008-01-19 09:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-06-06 12:41 . 2008-01-19 10:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-06-06 12:41 . 2008-01-19 10:36 357,888 --a------ C:\Windows\System32\wbemcomn.dll
2008-06-06 12:41 . 2008-01-19 10:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-06-06 12:41 . 2008-01-19 10:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-06-06 12:41 . 2008-01-19 10:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-06-06 12:41 . 2008-01-19 10:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-06-06 12:41 . 2008-01-19 10:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-06-06 12:41 . 2008-01-19 10:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-06-06 12:41 . 2008-01-19 10:35 35,328 --a------ C:\Windows\System32\mspatcha.dll
2008-05-23 01:20 . 2008-05-23 01:20 1,044,480 --a------ C:\Windows\System32\libdivx.dll
2008-05-23 01:20 . 2008-05-23 01:20 200,704 --a------ C:\Windows\System32\ssldivx.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 12:18 --------- d-----w C:\Program Files\DivX
2008-06-16 22:43 --------- d-----w C:\Users\Kalmu\AppData\Roaming\Microgaming
2008-06-16 18:17 --------- d-----w C:\ProgramData\Skype
2008-06-15 16:58 --------- d-----w C:\Users\Kalmu\AppData\Roaming\LimeWire
2008-06-15 10:39 --------- d-----w C:\Program Files\DivoCodec
2008-06-08 10:23 174 --sha-w C:\Program Files\desktop.ini
2008-06-08 10:17 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-08 10:17 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-06-08 10:17 --------- d-----w C:\Program Files\Windows Mail
2008-06-08 10:17 --------- d-----w C:\Program Files\Windows Journal
2008-06-08 10:17 --------- d-----w C:\Program Files\Windows Defender
2008-06-08 10:17 --------- d-----w C:\Program Files\Windows Collaboration
2008-06-08 10:17 --------- d-----w C:\Program Files\Windows Calendar
2008-06-08 09:57 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-06-08 09:57 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-06-07 20:47 --------- d-----w C:\Program Files\World of Warcraft
2008-06-01 13:34 --------- d-----w C:\Program Files\Warcraft III
2008-05-27 10:44 --------- d-----w C:\Users\Kalmu\AppData\Roaming\GetRightToGo
2008-05-02 07:46 --------- d-----w C:\ProgramData\FreeRIP
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 10:33 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 10:36 2153472 C:\Windows\System32\oobefldr.dll]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-21 07:56 171464]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 10:33 125952]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 12:03 868352]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 10:33 202240]
"cmds"="C:\Users\Kalmu\AppData\Local\Temp\opnOGwTM.dll" [2008-06-16 21:06 322560]
"BMcbb9a1e3"="C:\Users\Kalmu\AppData\Local\Temp\vacgoopm.dll" [2008-06-16 21:07 90112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-23 15:51 4435968 C:\Windows\RtHDVCpl.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Flashget"="C:\Program Files\FlashGet\FlashGet.exe" [2007-09-11 11:35 1998896]
"WinampAgent"="C:\Program Files\Winamp\wianmpa.exe" [ ]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 12:21 16270848 C:\Windows\RTHDCPL.exe]
"SkyTel"="Skytel.exe" [2007-04-13 15:36 1822720 C:\Windows\SkyTel.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-07-21 11:14 86016 C:\Windows\SoundMan.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"CTCheck"="C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 12:08 397312]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 13:15 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 13:15 8466432]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 13:15 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-15 13:25 1177368]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [9/9/2007 5:46:29 PM 113664]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [1/18/2007 3:48:42 PM 2752512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{A67D9BD9-3CFB-4A2C-AB13-C091E5207661}C:\\program files\\flashget\\flashget.exe"= UDP:C:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{72F2693F-625D-4BAC-9F84-3F5D35467F9A}C:\\program files\\flashget\\flashget.exe"= TCP:C:\program files\flashget\flashget.exe:FlashGet
"TCP Query User{08F49836-5A27-4C23-B4F5-5245B9D1CBA6}C:\\users\\kalmu\\desktop\\wow-burningcrusade-enus-installer-downloader.exe"= UDP:C:\users\kalmu\desktop\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
"UDP Query User{29A4A136-2C8C-4493-9356-0AC4FEEFFB15}C:\\users\\kalmu\\desktop\\wow-burningcrusade-enus-installer-downloader.exe"= TCP:C:\users\kalmu\desktop\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
"TCP Query User{956F19BF-35E2-4C74-AC57-6644ABCFEE6D}C:\\downloads\\wow-burningcrusade-enus-installer-downloader.exe"= UDP:C:\downloads\wow-burningcrusade-enus-installer-downloader.exe:Blizzard Downloader
"UDP Query User{C4A37C44-1465-4EF7-8392-A09FBA90F560}C:\\downloads\\wow-burningcrusade-enus-installer-downloader.exe"= TCP:C:\downloads\wow-burningcrusade-enus-installer-downloader.exe:Blizzard Downloader
"TCP Query User{58AD8BDC-DB2F-4D9A-9B6F-58AE3A0BD6F5}C:\\program files\\flashget\\flashget.exe"= UDP:C:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{596BEF15-106A-4794-9304-0322027BE936}C:\\program files\\flashget\\flashget.exe"= TCP:C:\program files\flashget\flashget.exe:FlashGet
"TCP Query User{21F71782-13F6-4BA4-8036-009B54397750}C:\\program files\\world of warcraft\\repair.exe"= UDP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{83A5B0BD-63F4-4F46-9BDD-17A427862103}C:\\program files\\world of warcraft\\repair.exe"= TCP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"TCP Query User{B3B1EC44-F656-4B13-A356-27BE7FC9E027}C:\\program files\\world of warcraft\\wow-1.12.0-enus-downloader.exe"= UDP:C:\program files\world of warcraft\wow-1.12.0-enus-downloader.exe:Blizzard Downloader
"UDP Query User{3312FAA6-EF6A-4F41-AC6B-05477C531DE9}C:\\program files\\world of warcraft\\wow-1.12.0-enus-downloader.exe"= TCP:C:\program files\world of warcraft\wow-1.12.0-enus-downloader.exe:Blizzard Downloader
"{2B4FABF1-CA70-4D45-9CAF-85AC0C8BA243}"= UDP:3724:Blizzard Downloader
"{CE55A773-A370-4C8C-B084-62C0F32CFD5B}"= UDP:6112:Blizzard Downloader
"TCP Query User{A5131756-B75A-4844-BA38-F7FE8385C92A}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{57C19C8D-5C8B-4AE9-A1F7-89B2836D65F6}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{9F4DE367-30EF-42BB-A101-6303D110832C}C:\\users\\kalmu\\appdata\\local\\temp\\flashget.exe"= UDP:C:\users\kalmu\appdata\local\temp\flashget.exe:flashget.exe
"UDP Query User{0C9B0C40-7E8A-46DF-B154-7F3C516351CD}C:\\users\\kalmu\\appdata\\local\\temp\\flashget.exe"= TCP:C:\users\kalmu\appdata\local\temp\flashget.exe:flashget.exe
"TCP Query User{B6B957CB-515F-4F33-94A6-A03497D8FEAB}C:\\program files\\world of warcraft\\wow-2.1.3.6898-to-2.2.0.7272-enus-downloader.exe"= UDP:C:\program files\world of warcraft\wow-2.1.3.6898-to-2.2.0.7272-enus-downloader.exe:Blizzard Downloader
"UDP Query User{3F3D29CF-FDFD-4568-8A57-8CBEA09279CE}C:\\program files\\world of warcraft\\wow-2.1.3.6898-to-2.2.0.7272-enus-downloader.exe"= TCP:C:\program files\world of warcraft\wow-2.1.3.6898-to-2.2.0.7272-enus-downloader.exe:Blizzard Downloader
"TCP Query User{245D8CD8-555B-4245-80BD-622978F30415}C:\\users\\kalmu\\documents\\minu vastuvõetud failid\\wow-burningcrusade-enus-installer-downloader.exe"= UDP:C:\users\kalmu\documents\minu vastuvõetud failid\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
"UDP Query User{B8F86CBE-46AF-4300-9A78-BC78061CE278}C:\\users\\kalmu\\documents\\minu vastuvõetud failid\\wow-burningcrusade-enus-installer-downloader.exe"= TCP:C:\users\kalmu\documents\minu vastuvõetud failid\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
"TCP Query User{E0F2DDEF-A033-42A9-822E-76F6762423C1}C:\\program files\\world of warcraft\\wow-2.2.0.7272-to-2.2.2.7318-enus-downloader.exe"= UDP:C:\program files\world of warcraft\wow-2.2.0.7272-to-2.2.2.7318-enus-downloader.exe:Blizzard Downloader
"UDP Query User{7BAB68DD-5F34-4E67-B979-F0178C71513D}C:\\program files\\world of warcraft\\wow-2.2.0.7272-to-2.2.2.7318-enus-downloader.exe"= TCP:C:\program files\world of warcraft\wow-2.2.0.7272-to-2.2.2.7318-enus-downloader.exe:Blizzard Downloader
"TCP Query User{E3FBC4FD-A3E3-4F81-A56E-2276819A8DCB}C:\\windows\\system32\\solidstatenetworks\\solidstateion\\solidnm.exe"= UDP:C:\windows\system32\solidstatenetworks\solidstateion\solidnm.exe:solidnm
"UDP Query User{BCE4DF20-A627-4308-A398-AB32D3220063}C:\\windows\\system32\\solidstatenetworks\\solidstateion\\solidnm.exe"= TCP:C:\windows\system32\solidstatenetworks\solidstateion\solidnm.exe:solidnm
"TCP Query User{7F1CD308-F768-459E-BC78-585BD952E5C2}C:\\program files\\world of warcraft\\wow-2.2.2.7318-to-2.2.3.7359-enus-downloader.exe"= UDP:C:\program files\world of warcraft\wow-2.2.2.7318-to-2.2.3.7359-enus-downloader.exe:Blizzard Downloader
"UDP Query User{AE764339-A03A-4BC6-BA1E-1F2C6F4F0ED9}C:\\program files\\world of warcraft\\wow-2.2.2.7318-to-2.2.3.7359-enus-downloader.exe"= TCP:C:\program files\world of warcraft\wow-2.2.2.7318-to-2.2.3.7359-enus-downloader.exe:Blizzard Downloader
"TCP Query User{10F98101-BC57-4D2B-8204-FB11C89C3C60}C:\\program files\\ngd studios\\regnum online\\liveserver\\roclientgame.exe"= UDP:C:\program files\ngd studios\regnum online\liveserver\roclientgame.exe:RegnumOnline
"UDP Query User{5F19EC95-55D1-4C5E-8D07-2B2EB9AF0664}C:\\program files\\ngd studios\\regnum online\\liveserver\\roclientgame.exe"= TCP:C:\program files\ngd studios\regnum online\liveserver\roclientgame.exe:RegnumOnline
"{A76C2600-202F-45A4-A6D0-71F6016B73F6}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{E018397F-D256-486C-B00A-A19B123FB8D7}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{5ED4295A-48DE-4543-8EAD-E5FE16C0AB9E}C:\\program files\\games-masters.com\\cabal online (europe)\\launcher\\update\\estdnheadless.exe"= UDP:C:\program files\games-masters.com\cabal online (europe)\launcher\update\estdnheadless.exe:EST! download engine
"UDP Query User{F4940E7D-1BED-4032-8081-BECD718FD7A6}C:\\program files\\games-masters.com\\cabal online (europe)\\launcher\\update\\estdnheadless.exe"= TCP:C:\program files\games-masters.com\cabal online (europe)\launcher\update\estdnheadless.exe:EST! download engine
"TCP Query User{D5B323E3-4019-4133-A502-5A4CF78F220B}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{FD2E09B0-937E-4D86-8FD2-879D17C225B9}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{ED272957-11FC-4003-A38E-AF8CD08C7B3F}C:\\program files\\world of warcraft\\backgrounddownloader.exe"= UDP:C:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"UDP Query User{0CADEBEB-B9B6-499E-8829-DB4F79564FBA}C:\\program files\\world of warcraft\\backgrounddownloader.exe"= TCP:C:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"TCP Query User{7D86F79F-4BE0-4596-BE62-92ED922B96B2}C:\\program files\\valve\\cstrike_1.6\\hl.exe"= UDP:C:\program files\valve\cstrike_1.6\hl.exe:Half-Life Launcher
"UDP Query User{ACB1E08A-17C7-435B-9840-D644B7FA331F}C:\\program files\\valve\\cstrike_1.6\\hl.exe"= TCP:C:\program files\valve\cstrike_1.6\hl.exe:Half-Life Launcher
"TCP Query User{92B7E2FD-5A86-4053-82AC-E64DCA0D1FED}C:\\program files\\world of warcraft\\wow-2.2.3.7359-to-2.3.0.7561-enus-downloader.exe"= UDP:C:\program files\world of warcraft\wow-2.2.3.7359-to-2.3.0.7561-enus-downloader.exe:Blizzard Downloader
"UDP Query User{5813C636-2958-4AA2-B95C-03436344DE1F}C:\\program files\\world of warcraft\\wow-2.2.3.7359-to-2.3.0.7561-enus-downloader.exe"= TCP:C:\program files\world of warcraft\wow-2.2.3.7359-to-2.3.0.7561-enus-downloader.exe:Blizzard Downloader
"TCP Query User{B2D4514C-5A3F-49E7-8978-71F35C3AB4DA}C:\\program files\\world of warcraft\\repair.exe"= UDP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{D644191A-3B1C-4F67-BB6B-68036C038A35}C:\\program files\\world of warcraft\\repair.exe"= TCP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"TCP Query User{79C14041-E648-46C9-8784-EB59FF42CBAC}C:\\users\\kalmu\\desktop\\new folder\\wow-1.12.0-enus-downloader.exe"= UDP:C:\users\kalmu\desktop\new folder\wow-1.12.0-enus-downloader.exe:wow-1.12.0-enus-downloader.exe
"UDP Query User{D9A37535-49BE-40D8-A5E3-504C4D31C07C}C:\\users\\kalmu\\desktop\\new folder\\wow-1.12.0-enus-downloader.exe"= TCP:C:\users\kalmu\desktop\new folder\wow-1.12.0-enus-downloader.exe:wow-1.12.0-enus-downloader.exe
"TCP Query User{0E79E66D-512D-4F73-974B-C08DEB1B932A}C:\\users\\kalmu\\desktop\\new folder\\wow-2.2.3.7359-to-2.3.0.7561-enus-downloader.exe"= UDP:C:\users\kalmu\desktop\new folder\wow-2.2.3.7359-to-2.3.0.7561-enus-downloader.exe:wow-2.2.3.7359-to-2.3.0.7561-enus-downloader.exe
"UDP Query User{9B0EFDA9-CF15-4691-B507-6EF1609D8675}C:\\users\\kalmu\\desktop\\new folder\\wow-2.2.3.7359-to-2.3.0.7561-enus-downloader.exe"= TCP:C:\users\kalmu\desktop\new folder\wow-2.2.3.7359-to-2.3.0.7561-enus-downloader.exe:wow-2.2.3.7359-to-2.3.0.7561-enus-downloader.exe
"TCP Query User{144BA0F4-29A6-4BF7-945D-8D82A7ED8701}C:\\users\\kalmu\\desktop\\new folder\\wow-1.12.x-to-2.0.1-enus-patch-downloader.exe"= UDP:C:\users\kalmu\desktop\new folder\wow-1.12.x-to-2.0.1-enus-patch-downloader.exe:wow-1.12.x-to-2.0.1-enus-patch-downloader.exe
"UDP Query User{CCDD5BF2-3B9F-4460-8791-6AFEE364F8D9}C:\\users\\kalmu\\desktop\\new folder\\wow-1.12.x-to-2.0.1-enus-patch-downloader.exe"= TCP:C:\users\kalmu\desktop\new folder\wow-1.12.x-to-2.0.1-enus-patch-downloader.exe:wow-1.12.x-to-2.0.1-enus-patch-downloader.exe
"TCP Query User{728E6792-9B1D-4445-A180-F82E5B9B6D53}C:\\program files\\world of warcraft\\wow-1.12.x-to-2.0.1-enus-patch-downloader.exe"= UDP:C:\program files\world of warcraft\wow-1.12.x-to-2.0.1-enus-patch-downloader.exe:Blizzard Downloader
"UDP Query User{43F2A8AF-FC58-493B-B11F-103BD4061A4C}C:\\program files\\world of warcraft\\wow-1.12.x-to-2.0.1-enus-patch-downloader.exe"= TCP:C:\program files\world of warcraft\wow-1.12.x-to-2.0.1-enus-patch-downloader.exe:Blizzard Downloader
"TCP Query User{52586688-0E78-46A9-97DF-002CD79849A7}C:\\program files\\world of warcraft\\wow-2.1.0.6692-to-2.1.0.6729-enus-downloader.exe"= UDP:C:\program files\world of warcraft\wow-2.1.0.6692-to-2.1.0.6729-enus-downloader.exe:Blizzard Downloader
"UDP Query User{1926E98B-514A-4994-B495-71C2CE461D7E}C:\\program files\\world of warcraft\\wow-2.1.0.6692-to-2.1.0.6729-enus-downloader.exe"= TCP:C:\program files\world of warcraft\wow-2.1.0.6692-to-2.1.0.6729-enus-downloader.exe:Blizzard Downloader
"TCP Query User{6049C711-6850-442A-AD58-1E7D256BC5E5}C:\\program files\\world of warcraft\\wow-2.1.0.6729-to-2.1.1.6739-enus-downloader.exe"= UDP:C:\program files\world of warcraft\wow-2.1.0.6729-to-2.1.1.6739-enus-downloader.exe:Blizzard Downloader
"UDP Query User{13865377-B166-4BA8-B9FC-0A57B674CEE2}C:\\program files\\world of warcraft\\wow-2.1.0.6729-to-2.1.1.6739-enus-downloader.exe"= TCP:C:\program files\world of warcraft\wow-2.1.0.6729-to-2.1.1.6739-enus-downloader.exe:Blizzard Downloader
"TCP Query User{2937A1F3-AAEF-41AB-9990-58A15EFC4D25}C:\\program files\\world of warcraft\\wow-2.1.0-enus-downloader.exe"= UDP:C:\program files\world of warcraft\wow-2.1.0-enus-downloader.exe:Blizzard Downloader
"UDP Query User{BF7AA9F3-1358-47E7-92CA-DBAA7BC6C6D3}C:\\program files\\world of warcraft\\wow-2.1.0-enus-downloader.exe"= TCP:C:\program files\world of warcraft\wow-2.1.0-enus-downloader.exe:Blizzard Downloader
"TCP Query User{06365DBA-09A3-4022-9E8B-43E02F298FD9}C:\\program files\\world of warcraft\\wow-2.1.1.6739-to-2.1.2.6803-enus-downloader.exe"= UDP:C:\program files\world of warcraft\wow-2.1.1.6739-to-2.1.2.6803-enus-downloader.exe:Blizzard Downloader
"UDP Query User{1F512D76-FCE2-4D0A-B111-07E43BC997F1}C:\\program files\\world of warcraft\\wow-2.1.1.6739-to-2.1.2.6803-enus-downloader.exe"= TCP:C:\program files\world of warcraft\wow-2.1.1.6739-to-2.1.2.6803-enus-downloader.exe:Blizzard Downloader
"TCP Query User{E42CCB46-B912-4F86-9A38-1861A38C8B35}C:\\program files\\world of warcraft\\wow-2.1.2.6803-to-2.1.3.6898-enus-downloader.exe"= UDP:C:\program files\world of warcraft\wow-2.1.2.6803-to-2.1.3.6898-enus-downloader.exe:Blizzard Downloader
"UDP Query User{BB82B80B-1177-408E-84D5-CF08A2307871}C:\\program files\\world of warcraft\\wow-2.1.2.6803-to-2.1.3.6898-enus-downloader.exe"= TCP:C:\program files\world of warcraft\wow-2.1.2.6803-to-2.1.3.6898-enus-downloader.exe:Blizzard Downloader
"TCP Query User{9705DB2E-16A0-47D1-9D79-F01B106B8E31}C:\\program files\\world of warcraft\\wow-2.2.0-enus-downloader.exe"= UDP:C:\program files\world of warcraft\wow-2.2.0-enus-downloader.exe:Blizzard Downloader
"UDP Query User{26C2D05D-7100-4F40-8D54-0A105D79D4FF}C:\\program files\\world of warcraft\\wow-2.2.0-enus-downloader.exe"= TCP:C:\program files\world of warcraft\wow-2.2.0-enus-downloader.exe:Blizzard Downloader
"TCP Query User{93FD1827-7998-4A65-9F0C-12CF29CF8C8E}C:\\program files\\raven software\\sof2\\sof2mp.exe"= UDP:C:\program files\raven software\sof2\sof2mp.exe:SoF2MP
"UDP Query User{A7CC6559-9B39-47DF-926B-E54EAFC6DE2D}C:\\program files\\raven software\\sof2\\sof2mp.exe"= TCP:C:\program files\raven software\sof2\sof2mp.exe:SoF2MP
"TCP Query User{10C3EF80-8DC0-4D6D-B994-DD2605C5FC33}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{A5A63D6B-E7E5-41D2-AD1C-68D5728AE5A5}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{B752FCBD-4858-4890-B60D-CE098C30E8AF}C:\\program files\\codemasters\\rf online;\\rf.exe"= UDP:C:\program files\codemasters\rf online;\rf.exe:RFLauncher
"UDP Query User{2A52255B-418C-44DF-AE64-1011800FDE9D}C:\\program files\\codemasters\\rf online;\\rf.exe"= TCP:C:\program files\codemasters\rf online;\rf.exe:RFLauncher
"TCP Query User{00AB5272-0497-4BD7-A738-3A5B22E99F62}C:\\program files\\toshiba\\bluetooth toshiba stack\\tosbtpcs.exe"= UDP:C:\program files\toshiba\bluetooth toshiba stack\tosbtpcs.exe:Bluetooth PAN Client
"UDP Query User{E7C2C5CD-5EBF-40E8-928D-0E657E1D0D3E}C:\\program files\\toshiba\\bluetooth toshiba stack\\tosbtpcs.exe"= TCP:C:\program files\toshiba\bluetooth toshiba stack\tosbtpcs.exe:Bluetooth PAN Client
"TCP Query User{4F671B67-4C6C-49EC-8844-9F1D08A8FCBD}C:\\program files\\codemasters\\operationflashpoint\\operationflashpoint.exe"= UDP:C:\program files\codemasters\operationflashpoint\operationflashpoint.exe:Operation Flashpoint
"UDP Query User{43C0C517-9955-416F-85D9-DE7D61A478DC}C:\\program files\\codemasters\\operationflashpoint\\operationflashpoint.exe"= TCP:C:\program files\codemasters\operationflashpoint\operationflashpoint.exe:Operation Flashpoint
"TCP Query User{B8644332-F14D-4021-BCB5-7B459699B441}C:\\windows\\system32\\dpnsvr.exe"= UDP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server
"UDP Query User{E9E1D88D-6EB2-42BB-B5B8-0CB2FA1FF927}C:\\windows\\system32\\dpnsvr.exe"= TCP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server
"{2D42CAA3-2677-4A63-B0A0-050131679634}"= UDP:C:\Program Files\utorrent\utorrent.exe:µTorrent
"{8312E98E-23C4-4CA0-BED2-0C53A63FEDEA}"= TCP:C:\Program Files\utorrent\utorrent.exe:µTorrent
"TCP Query User{F1B057F8-FFD9-4988-9632-1066764E02AE}C:\\program files\\darkeden\\darkeden.exe"= UDP:C:\program files\darkeden\darkeden.exe:DarkEden
"UDP Query User{93D0E800-90B8-4C13-80F5-FD23BAF3CF80}C:\\program files\\darkeden\\darkeden.exe"= TCP:C:\program files\darkeden\darkeden.exe:DarkEden
"TCP Query User{A6670441-1D72-4603-A76D-5F3C6D4DC1C4}C:\\program files\\valve\\cstrike_1.6\\hlds.exe"= UDP:C:\program files\valve\cstrike_1.6\hlds.exe:HLDS Launcher
"UDP Query User{311C5D00-20D8-4092-A46E-B2ECD0FFD4F6}C:\\program files\\valve\\cstrike_1.6\\hlds.exe"= TCP:C:\program files\valve\cstrike_1.6\hlds.exe:HLDS Launcher
"TCP Query User{4F69BF4E-5381-4A0F-A3AF-D7621CF79EC7}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{C510D7BE-E9E4-4C67-9692-F2D88334602E}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"{AE72F508-69C3-43A6-83F3-3A4C44FDCA48}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{3C6A59F1-2E1B-40AD-BBDD-976B60CADC49}C:\\users\\kalmu\\documents\\minu vastuvõetud failid\\the all-seeing eye\\eye.exe"= UDP:C:\users\kalmu\documents\minu vastuvõetud failid\the all-seeing eye\eye.exe:eye.exe
"UDP Query User{26C336B0-DFAB-4838-B64F-E09B57A8CC88}C:\\users\\kalmu\\documents\\minu vastuvõetud failid\\the all-seeing eye\\eye.exe"= TCP:C:\users\kalmu\documents\minu vastuvõetud failid\the all-seeing eye\eye.exe:eye.exe
"TCP Query User{E9473AAA-70A3-490E-ADF9-A0289F2EF076}C:\\users\\kalmu\\desktop\\the all-seeing eye\\eye.exe"= UDP:C:\users\kalmu\desktop\the all-seeing eye\eye.exe:eye.exe
"UDP Query User{441F6AB9-3160-4F0A-B84D-CCCA82421D11}C:\\users\\kalmu\\desktop\\the all-seeing eye\\eye.exe"= TCP:C:\users\kalmu\desktop\the all-seeing eye\eye.exe:eye.exe
"TCP Query User{170448C7-0BEE-42CE-80A3-49D91E9253F1}C:\\program files\\codemasters\\rf online\\rf.exe"= UDP:C:\program files\codemasters\rf online\rf.exe:RFLauncher
"UDP Query User{07C33D05-F491-4A82-9A4D-3359B58E86AE}C:\\program files\\codemasters\\rf online\\rf.exe"= TCP:C:\program files\codemasters\rf online\rf.exe:RFLauncher
"{7F99167B-0861-461B-85FB-C77A30B097D5}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{9CB46944-7A45-4C76-AA49-E44251DC8679}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-06-15 13:25]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-15 13:25]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-15 13:25]
R3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-06-15 13:25]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc2796ae-5d3a-11dc-a5c7-0019dba593f5}]
\shell\AutoRun\command - L:\Setup.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-17 15:11:33 C:\Windows\Tasks\User_Feed_Synchronization-{143CBFC8-EC0D-42E0-8BB8-A3DB474EC6C6}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 23:10:10
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
[0] 0x000028E3
[0] 0x20000000
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\Windows\Explorer.exe
-> C:\Users\Kalmu\AppData\Local\Temp\pbjgmhli.dll
-> C:\Users\Kalmu\AppData\Local\Temp\vacgoopm.dll
-> C:\Users\Kalmu\AppData\Local\Temp\opnOGwTM.dll
.
Completion time: 2008-06-17 23:11:17
ComboFix-quarantined-files.txt 2008-06-17 20:10:56
Pre-Run: 120,881,467,392 bytes free
Post-Run: 132,799,787,008 bytes free
229 --- E O F --- 2008-06-14 16:34:17
And combofix also saved some "Bug.txt" file :
pushd "C:\327882R2FWJFW\"
=============================================
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Kalmu\AppData\Roaming
cfldr=327882R2FWJFW
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KALMU-PC
ComSpec=C:\Windows\system32\cmd.exe
configsetroot=C:\Windows\ConfigSetRoot
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Kalmu
kmd=CF22653.exe
LOCALAPPDATA=C:\Users\Kalmu\AppData\Local
LOGONSERVER=\\KALMU-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\327882R2FWJFW;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
sfxname=C:\Downloads\ComboFix.exe
system=C:\Windows\system32
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Kalmu\AppData\Local\Temp
TMP=C:\Users\Kalmu\AppData\Local\Temp
USERDOMAIN=Kalmu-PC
USERNAME=Kalmu
USERPROFILE=C:\Users\Kalmu
windir=C:\Windows
=============================================
if not defined sfxname goto END
If [] == [] Set "SfxCmd="
if /I "C:\327882R2FWJFW" NEQ "C:\327882R2FWJFW" goto Abort
if exist "C:\Users\Kalmu\AppData\Local\Temp\327882R2FWJFW327882R2FWJFW.log" del "C:\Users\Kalmu\AppData\Local\Temp\327882R2FWJFW327882R2FWJFW.log"
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
Ownerchange for "C:\Windows\system32\cmd.exe" to Administrators group was successful
copy /y "C:\Windows\system32\cmd.exe" "C:\Windows\system32\CF22653.exe"
1 file(s) copied.
if not exist "C:\Windows\system32\CF22653.exe" catchme -l nul -c "C:\Windows\system32\cmd.exe" "C:\Windows\system32\CF22653.exe"
For /F "tokens=*" %g in ("C:\Downloads\ComboFix.exe") do @(
set "FileName=%~ng"
set "FilePath=%~dpg"
)
Set FileName 1>FileName 2>nul
GREP -Gisqx "FileName=[-[:alnum:]@.]*" FileName || (
nircmd infobox "You cannot rename ComboFix as ComboFix~n~nPlease use another name, preferbaly made up of alphanumeric characters" ""
goto END
)
DIR /AD/B C:\* | Findstr -IVX ComboFix 1>dirname00
Findstr -LIXC:"ComboFix" dirname00 1>nul && call :NameChk
If exist dirname0? del /Q dirname0?
If exist "\ComboFix" DIR /AD "\ComboFix" 1>nul && (
rd /s/q "\ComboFix"
If exist "\ComboFix" (
PV -kf Findstr *.cfexe
rd /s/q "\ComboFix"
)
If exist "\ComboFix" (
handle "C:\ComboFix" | SED -r "/pid:/!d; s/.*: (.*): .*/\1/" 1>temp00
for /F "tokens=1,2" %g in (temp00) do @echo.y | Handle -p %g -c %h
del /q temp00
rd /s/q "\ComboFix"
)
)
If exist "\ComboFix" rd /s/q "\ComboFix"
If exist "\ComboFix" goto :eof
VER | Findstr -ic:"[Version 6.0" && (Call :Vista ) ||
Microsoft Windows [Version 6.0.6001]
type nul 1>Vista.mac
swxcacls "C:\Windows\system32\cmd.exe" /g SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:f /ga:x /gs:x /gp:x /gu:x /q
swxcacls "C:\Windows\system32\cmd.exe" /o SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 /q
swreg query "hkcu\control panel\international" /v localename | SED "/.*\t/!d;s///" 1>MUI00
swreg query "hku\.default\control panel\international" /v localename | SED "/.*\t/!d;s///" 1>>MUI00
SED -r "$!N; /^(.*)\n\1$/!P; D" MUI00 1>MUI01
For /F "tokens=*" %g in (MUI01) do @if exist "C:\Windows\system32\%~g\cmd.exe.mui" (
swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /oa /q
swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /p /ga:f /gs:f /gp:x /gu:x /q
Copy /y "C:\Windows\system32\%~g\cmd.exe.mui" "C:\Windows\system32\en-us\CF22653.exe.mui"
swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /g SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:f /ga:x /gs:x /gp:x /gu:x /q
swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /o SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 /q
)
GREP -sq . MUI01 && (
del /q MUI0? 2>nul
goto :eof
)
CD ..
Set "comspec=C:\Windows\system32\CF22653.exe"
(
echo.md "\ComboFix"
echo.Move /y "\327882R2FWJFW\*" "\ComboFix"
echo.RD /S/Q "\327882R2FWJFW"
echo.Start "." /d"C:\ComboFix" "C:\Windows\system32\CF22653.exe" /k c.bat
echo.pv -kf cmd.exe
) 1>Start_.cmd
NirCmd exec hide "C:\Windows\system32\CF22653.exe" /f:off /d /c call Start_.cmd
NirCmd execmd del "\327882R2FWJFW\prep.cmd"
EXIT
Thanks in forward from my friend...0 -
And heres the zip file of the infected files:
[Password: Infected]
/applications/core/interface/file/attachment.php?id=2262" data-fileid="2262" rel="">Infected.zip
And heres his latest Hijackthis log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:47:22, on 17.06.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\RTHDCPL.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Users\Kalmu\Desktop\VundoFix.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\clear.exe
--
End of file - 1503 bytes0 -
Now the internet explorer and Mozilla are both popping trash up again...blank windows , blank tabs and sometimes some advertising tabs and windows..
Erik.0
